build with golang 1.22.7 to address CVE-2024-34156 #3916

ssmirr · 2024-09-18T20:08:17Z

this high severity CVE was found in current release of esbuild as a result of being built with golang 1.22.5:

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────┬─────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │  Fixed Version  │                            Title                            │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────┼─────────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2024-34156 │ HIGH     │ fixed  │ 1.22.5            │ 1.22.7, 1.23.1  │ encoding/gob: golang: Calling Decoder.Decode on a message   │
│         │                │          │        │                   │                 │ which contains deeply nested structures...                  │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-34156                  │

Bump golang to 1.22.7 in ci workflow (this PR)
TODO: A follow up release / push to npm would be great after this is merge

update go 1.22.5 => 1.22.7

437283b

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

build with golang 1.22.7 to address CVE-2024-34156 #3916

build with golang 1.22.7 to address CVE-2024-34156 #3916

ssmirr commented Sep 18, 2024 •

edited

Loading

build with golang 1.22.7 to address CVE-2024-34156 #3916

Are you sure you want to change the base?

build with golang 1.22.7 to address CVE-2024-34156 #3916

Conversation

ssmirr commented Sep 18, 2024 • edited Loading

ssmirr commented Sep 18, 2024 •

edited

Loading